Skip to main content
POST
/
auth
/
refresh
/
token
curl -X POST 'https://api.weir.ai/auth/refresh/token' \
  -H 'Content-Type: application/json' \
  -d '{
    "refreshToken": "refresh_token_123456789"
  }'

{
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
    "refreshToken": "new_refresh_token_987654321",
    "expiresIn": 3600
  },
  "message": "Token refreshed successfully",
  "status": "success"
}

Refresh Token

Refresh expired access tokens using a valid refresh token to maintain uninterrupted API access. 
curl -X POST 'https://api.weir.ai/auth/refresh/token' \
  -H 'Content-Type: application/json' \
  -d '{
    "refreshToken": "refresh_token_123456789"
  }'

{
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
    "refreshToken": "new_refresh_token_987654321",
    "expiresIn": 3600
  },
  "message": "Token refreshed successfully",
  "status": "success"
}

Authentication

This endpoint does not require authentication as it’s used to refresh expired tokens.

Request Body

refreshToken
string
required
The refresh token obtained from the login endpoint.

Response Fields

data
object
required
Token refresh data object containing new tokens.
message
string
required
Human-readable message describing the result of the operation.
status
string
required
Operation status. Always “success” for successful token refresh.

Error Responses

{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid request parameters",
    "details": {
      "refreshToken": "Refresh token is required"
    }
  },
  "status": "error"
}
Causes:
  • Missing refresh token
  • Invalid request format
{
  "error": {
    "code": "INVALID_REFRESH_TOKEN",
    "message": "Invalid or expired refresh token",
    "details": "The provided refresh token is invalid or has expired"
  },
  "status": "error"
}
Causes:
  • Invalid refresh token
  • Expired refresh token
  • Already used refresh token
{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Too many refresh requests",
    "details": "Rate limit of 20 refresh requests per minute exceeded"
  },
  "status": "error"
}
Solution: Wait for the rate limit window to reset before making another refresh request.

Usage Examples

const refreshToken = async (refreshTokenValue) => {
  try {
    const response = await fetch('https://api.weir.ai/auth/refresh/token', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({ refreshToken: refreshTokenValue })
    });
    
    if (!response.ok) {
      throw new Error(`HTTP error! status: ${response.status}`);
    }
    
    const data = await response.json();
    
    // Update stored tokens
    localStorage.setItem('accessToken', data.data.accessToken);
    localStorage.setItem('refreshToken', data.data.refreshToken);
    
    return data;
  } catch (error) {
    console.error('Token refresh error:', error);
    throw error;
  }
};

// Usage
const newTokens = await refreshToken('refresh_token_123456789');
console.log('New access token:', newTokens.data.accessToken);

Token Management Best Practices

class TokenManager {
  constructor() {
    this.accessToken = localStorage.getItem('accessToken');
    this.refreshToken = localStorage.getItem('refreshToken');
    this.tokenExpiresAt = localStorage.getItem('tokenExpiresAt');
  }
  
  async makeRequest(url, options = {}) {
    // Check if token needs refresh (5 minutes before expiration)
    if (this.tokenExpiresAt && Date.now() >= this.tokenExpiresAt - 300000) {
      await this.refreshAccessToken();
    }
    
    return fetch(url, {
      ...options,
      headers: {
        'Authorization': `Bearer ${this.accessToken}`,
        'x-source': 'console',
        ...options.headers
      }
    });
  }
  
  async refreshAccessToken() {
    const data = await refreshToken(this.refreshToken);
    this.accessToken = data.data.accessToken;
    this.refreshToken = data.data.refreshToken;
    this.tokenExpiresAt = Date.now() + (data.data.expiresIn * 1000);
    
    // Update stored tokens
    localStorage.setItem('accessToken', this.accessToken);
    localStorage.setItem('refreshToken', this.refreshToken);
    localStorage.setItem('tokenExpiresAt', this.tokenExpiresAt);
  }
}

async function handleTokenRefresh() {
  try {
    await refreshToken(currentRefreshToken);
    return true; // Success
  } catch (error) {
    if (error.message.includes('401') || error.message.includes('INVALID_REFRESH_TOKEN')) {
      // Refresh token is invalid, redirect to login
      localStorage.clear();
      window.location.href = '/login';
      return false;
    }
    throw error; // Re-throw other errors
  }
}

Rate Limits

  • Rate Limit: 20 requests per minute per user
  • Burst Limit: 50 requests per 5-minute window

Security Considerations

  • Refresh tokens are rotated on each use for enhanced security
  • Old refresh tokens become invalid immediately after use
  • Always store the new refresh token returned from this endpoint
  • Store refresh tokens securely with appropriate encryption
  • Use secure storage mechanisms (not localStorage for sensitive apps)
  • Implement proper token cleanup on logout
  • Always use HTTPS for token refresh requests
  • Implement proper error handling without exposing sensitive information
  • Monitor for suspicious refresh patterns

Best Practices

Implement Auto-Refresh

Set up automatic token refresh before expiration to ensure uninterrupted API access.

Handle Refresh Failures

Implement proper error handling for refresh token failures and redirect to login when needed.

Update Token Storage

Always update stored tokens with the new values returned from the refresh endpoint.

Monitor Token Usage

Monitor token refresh patterns and implement alerts for suspicious activity.
Pro Tip: Implement a token manager that automatically handles token refresh in the background, so your application code doesn’t need to worry about token expiration.